it's just that this country does more to take it on than anybody else in the world. it is an important factor, but, you know, you almost have to deal with who you have to deal with overseas. that's the problem. >> okay. another question. yes, sir. the gentleman back here. >> yes, if drugs were legalized and tasked, would it damage -- >> state your name, please. >> sorry. i'm michael from los angeles, and if drugs were legalized and tacked, would it damage organized crime taking away the revenue and allowing law enforcement to go after other crimes such as human smuggling and intellectual property theft? >> well, certainly, it would change the situation there. there's been a mixed message sent for places where drugs have been legalized.

in canada, there is medical marijuana permitted, and the canadians say that organized # crime is teaking advantage of the fact there is medical marijuana permitted, setting up growth facilities and things like that. in the netherlands, there's been a substantial loosening of drug issues there, but interesting thing is it brought in a lot more drugs in the netherlands since they legalized marijuana to the point that starting this year, the netherlands prohibits any foreigner from going into their pot shops. the checks have legalized a significant amount of drugs recently. that allowed the police and the

resources of the czech republic to focus efforts elsewhere, but it has not done much for the drugs at all, and poe land, i believe it is, there's a fairly successful story of legalizing drugs and things getting better there, so i think it's really going to depend on society that you're looking at. if you have a society as large as the united states and legalize drugs, it's, you know, you are going to change the way the money flows, but it's not beginning to get rid of organized crime. it's just operating in a different way. >> other thoughts, liz? >> yeah, i think that that will do zero. yes, because of what was said, but also just look at howdy verse mid the portfolio of organized crime is today. i mean, they don't need to rely on drugs, illegal drugs alone. yet if they were going to be

legalized, look at the pharmaceutical industry. a whrot of the drugs are -- lot of the drugs are legal, but they are being pirated, counterfeit. organized crime is making a lot of money out of it. i think that legalization, per se, is not the solution to organized crime. i think corruption, we need to tackle corruption. >> and one more comment, i think that, you know, the problem is already created that organized crime, particularly in latin american countries has been able to make billions of dollars trafficking marijuana and other other drugs and other contraband materials. i don't know how successful we'd be, and i agree with liz about the success that might or might not happen from legal idahoing marijuana. the example used is when alcohol was legal in the united states, you did not have involvement in

any great way, did gaming, prostitution, normal knuckle dragging racketeering things, but not large scale threats they became. when prohibition goes into effect, it's a bonanza. they make billions. it creates the al capones and luckies and the rest of the united states getting involved in the importation or production of the illegal alcohol and the speak easies and the network to district and consume it. when prohibition is eliminated, too late to eliminate. they have now become a powerful, national organization. they have dominated the four largest industries affected by the unions, corrupted public officials, police, and regulators, all the way through washington. the elimination of prohibition did not eliminate the mafia

growth that had been allowed and created, able to flourish was then entrenched, and now they could move to other things, other aspects to make money, and it was too late to take them out then, and it's taken, you know, 75 years of coordinated effort and sustained attack to reduce them now, and we have been successful in reducing them, and the example i would give is if you watch godfather one, it is a very accurate depiction of the power and control in the u.s. in the 40s, 50s, and 60s. as a result of the statute, wiretapping authority and sustained attacks went from god father one to the sopranos arguing over vacant lots in newark, new jersey. that reduction of power and influence from 26 national families down to a handful was significant, but it took 75 years to do it, and, really, the

elimination of prohibition did not weaken them. it was the continuing attack later that did. >> robert f. turner. >> i want to follow-up with your -- [inaudible] i'm bob turner from the university of virginia. i want to follow up on your comments. hollywood often pore -- portrays them as patriots who in times of crisis rallies to help the country. recently, i heard a story about how helpful they were after the 911 attacks, and i wondered if you want to address that? >> i don't know the particulars, but i know they were involved in rubbish hauling and corruption and taking the remains of people to places where they couldn't be found or sorted, so, you know, really criminal at the grossest level. >> i was running the fbi at the

time, had joint wiretaps, and our organized crime task forces going back decades proceeding 9/11. many task forces, organized crime terrorism, safe streets, violence crime in place for many, many years. the day after 9/11, we have our very patriotic members in new york saying, you know -- i'll leave out the expletives. those feds took us out of waste hauling, construction, the laborers union, which was involved at major construction sites, they did all of this damage to us over the last 20 years, but now the reconstruction and the knee jerk reaction after 9/11, we're back in business. we're going to send people to washington. we're going to try to go after the contracts. we're going to go after, as doug mentioned, the carting, the waste hauling of the debris.

one of the things that happened after the immediate response to ground zero was then to be just putting the material, the raw material, into dump trucks, taking it across the river to new jersey to landfills where teams of police and fbi agents literally, like prospectors, sifted through the debris, and i won't tell you the materials that came out of that, the human and other, but immediately, these guys were talking on the wiretaps, we're going to send that to our landfills and pep trait -- we'll going to get hands on money and jewelry and they didn't want this, and there was a huge argument after 9/11, who owned the debris? the insurance company, who is really a financial victim at ground zero, so that causeddeddics to put gps's on the trucks and monitor every single truck to make sure it didn't deviate by ten feet from

the route to the designated landfills where it was to go. that's your american thinking all these years we were out of business, but now, this is fantastic, we're going to make money again. >> i'm going to ask the last double-barreled question as to two possibilities for substantive intervention, and that is we put the ku klux klan largely out of business, that civil litigation played a very major role. should we in some ways, or have we already done it effectively, unleashed civil litigation against organized crime? the second question is, one look at the sources of criminality in money raising that kidnapping and payment of ransoms is a significant part of it. should we be more effective in seeking to criminalize payment

of ransom to the groups, and what is the comparison there in relation to what we've done on terrorism? anybody like to address any part of that double-barreled question? >> i'll take a shot at civil litigation. if you create a sufficient financial incentive, you get the litigants. that's always the way. i suspect the challenge is whether anyone thinks they can collect for a claim. there's a lot of claims out there, and often people sue terrorist organizations. the federal government, you know, obviously, strong civil forfeiture actions that can be effective too. the challenge is always finding and getting hands on the assets. >> if i could add to that, professor blake at notre dame would be proud. he was not proud for ten years after the statute was passedded in 1970 because nobody used it or figured it out until he said, hey, look at this tool. an example of civil -- the civil provisions are powerful and

actually enable the success of many of the other prosecutions. for example, i mentioned that they controlled the four largest labor unions in the u.s., teamsters, laborers, long shoremen, and the hotel workers. under the civil provisions, when those gangsters were convicted, civil suits were filed by the department of justice, removing them from ever being allowed to be a member of a labor organization again, so they couldn't, on paper, have no-show jobs, or in reality become union stewards or other union organizers used as front to maintain the control of the gangsters, so the civil part was enormous when iced throughout this period, 80s, 90s, and since to remove them permanently from ever participating in the labor organization. they couldn't go back to what they knew best, labor racketeering. >> anyone want to talk ransom issue and then the last issue?

>> i'm concerned with criminalizing the thing just to pay ransom because you may find a lot of people, a lot of families, desperate, trying to just bring a loved one, and, you know, i -- i have problems with that. i think it just -- we will be criminalizing the wrong individuals. >> thank you very much. i want to thank the panel for just a superb presentation. [applause] >> thank you, john, for a wonderful, wonderful panel and i want to thank the core sponsors of the annual review. we have from the center on national courting the law, georgetown law, particularly the dean and laura, and major

running the next panel and sharing it on cybersecurity and its future. i particularly want to thank the center on law, ethics, and security, duke university school of law, and charlie, who ran the panel yesterday, who did a wonderful job on authorization for the use of military force, and, lastly, the center for national security law, which is not only john norton moore, but a special person who is, right now, has his eye behind the camera, and that's bob turner, and these schools have been extraordinary in support and development of the area of national security law, so i want to take a 15-minute -- and i want to thank them officially for what they do. i want to thank the pammists for being fascinating, and all the room would love to remain as hostage for you, but we have to move on, and we'll reconvene in 15 minutes, and we'll have the panel on cybersecurity and the future. thank you very much. [inaudible conversations]

and he said we'd do it under title 10 but it is a problem we do it under title 50. we don't have a problem carrying out offensive operations. that said there is no such thing as cyberdeterrence. there are issues congress needs to work on. most of the large domestic but in terms of military capabilities, i am not cynical about congress.

i am cynical about this congress. in terms of military capability the military is not waiting for happy words from capitol hill. >> you wanted to respond, and if there is anything you would like to add? >> a brief point, on the policy level, i think when the sas cyber is hard, having done this for awhile, one of the reasons it is particularly hard, sitting in a room of hialeah educated people use abstract and difficult fought its but i would wager that for most of view, anything that happens beyond your keyboard is magic. where is your information going exactly? what is your computer doing when you are operating, one of the

underlying communications between you and your provider? a conversation on privacy and information sharing in this context that is fact based and rational? very difficult. trying to tease out fact from fiction when there are different parties with different interests, very difficult but the fact that you have a baseline community of consumers, all of us who don't exactly what we are working with, makes it again extremely difficult. much of this discussion about privacy and information is being had in a mediated environment. we need people to tell us whether the information we are leaking is important to not, whether it is private or not. no one wants their e-mail read if it is not done legally but -- >> even if it is. >> probably right. >> other aspects of this make it

so hard. particularly in the information sharing bucket where we are trying to figure out what information can or should be shared. getting a base line of what the information is, what it is is very difficult in a technophobia world. >> i have trouble seeing you. do you have anything to add on the privacy issue and legal concerns that have been raised? >> where you started was i have something to contribute to this debate. i hope it is a point of this audience will appreciate. my title is associate general counsel, not director of strategy and policy so people in think tanks can debate the subjects, our role is trying to help with legal ways to move forward.

in terms of privacy protection and information sharing the information sharing cornerstone of it has got to the trust and confidence in one another so privacy protection is absolutely critical and it has to be built into the whole project. i can talk about that a little more but underlying this whole conversation has got to be a level of trust and confidence and belief in one another and a lot of it comes back to privacy protection which we think is a key element we can bring to the table. >> two things. i want to move back to the point about deterrence and look at what role can the private sector play and can the private sector play a more active role but just before i do that i want -- just

this week, release the national institute of standards and technology released its preliminary cybersecurity framework and seeking public comment so this is another element of the domestic strategy, the strategy of the government working with the private sector on cybersecurity and i wanted to get maybe jim, from you to start, the framework is in part a response to a failure of legislation last year. do you think it is a useful effort and where do you see, where do you see it going? >> it is interesting because at the end of the debate last year, when you speak to individual senators for members they understand the problem and would

like to do the right thing. a few of the marbury ideological. we know that from the budget debate but most of them want to do something and they felt a lot of regret that they failed to pass a comprehensive bill. the bill had a lot of problems. i know that as well as anyone but behind the scenes after the two votes failed there was a big effort with john mccain and others to try to resuscitate something and they were unable to do that. as part of the reaction, the white house in august early august decided to the non-executive order that would use existing authorities of the president over the regulatory agencies he has control over and hopefully influence of the regulatory agencies like fcc to set standards for what adequate cybersecurity would look like. that is a good plan. the paragraph you want to look

at is paragraph 10, the one that says once this develops this framework related to -- regulatory agencies should compared to existing regulations and see if they are adequate for cybersecurity, please do this by 2015. we are not on what we call a quick cycle here but probably the best we can do. we just have to of the iranian revolutionary guard is patient. what does it mean? i was talking to miss people who are working on it at the beginning of the process, you guys of written on cybersecurity, how much of the written? only 12,000 pages. do you open it up when there's a crisis and whatever page you open to is what you do? the framework attempts to rectify that. it is a concise document, only 44 pages long and it is best to

think of it as an annotated bibliography of steps you can take to improve peer network security. it doesn't actually tell you how to do it. it is like getting a minuet restaurant but maybe the draft will change. what are the implications for this audience? two major changes this year that will reshape the legal landscape for cidersecurity, the first international. the group of government experts will come back to. the second is the mr framework which inadvertently and much to the shock and horror of some people creates the possibility of defining due diligence and if you are not exercising due diligence you should be liable that is the path we are on. has been of goal for more than a decade fur many in the field. how do you get companies to set this is what you must do? we are at the point where we can

say to people do these things and you will reduce risk by 80% or more and if you aren't doing them why you not doing them. due diligence liability is the implication i think of in this framework. this is pretty much done. there's a hand over that we will implement in some fashion. >> war and dan. >> question for you. executive order 16, 13636 was where this was introduced now rockefeller has introduced legislation in july that would make the statutory requirement i am assuming from your remarks you are opposed to that what your thoughts. >> i got a note saying don't trash us in the press because we took all the hard parts out of the bill. our bills are not going to pass this congress. they took out the part that may put the executive order -- i admire senator rockefeller. he has been pushing this since he was chairman of the select committee on intelligence. he is doing a great job, he

knows what to do and is trying to do it but judging from remarks i have gotten from his staff, he doesn't believe there is a chance so to get any bill passed they had to strip out the parts that would have made the executive order put into office. >> where do things stand in the next framework and how do you think it will help? >> jim described it very well in terms of timing. the framework is out for public comment. you were supposed to comment by december, there have been a number of workshops building this overtime. private industry, it will be issued finally in february, but if i could expand on it just all little, another angle to it is in this environment where congress is not able to pass legislation the president's decision is to try to encourage

the agency to do what we could under current authorities, developing this framework, one way we can make a contribution to establish best practices that will allow people to see where they need to be shooting to. at the same time another part of the executive order asks several agencies to think through a set of incentives that could be developed to encourage adoption of that framework or framework like it. in absence of regulation how can we incentivize that type of behavior? and that was issued, developed by different agencies and issued by the white house report, very thought-provoking area and i will mention some of the areas of incentive that were suggested. the problem with this being some are within the ability of

federal agencies to do and would still require congressional action but there are areas such as building cybersecurity insurance framework or industry so that underwriting practices would drive this, maybe leveraging current grant programs, process preference basically meaning if there is technical assistance, companies would benefit from by adopting cybersecurity framework in this framework that they would have at some level some level of preference for that like streamlining regulations or other incentives, an interesting complement to the developmental framework incentivizing people to get there. >> why not start -- i'm a huge champion of mist. i think there incredible at what they do. not a day goes by the we are not taking advantage of something that cannot of mist. but the tasks they were given

here doesn't end very well for security calfs for reasons we have already described. you look at the executive order and what the mandate is, talk about regulation, regulatory but going after the bad guys, the government warning the good guys about the bad guys are coming. you have to tell the good guys that the bad guys are coming. then it talks about best practices. it is not best practices for soldering metal, but best practices in a dynamic environment where the best practice is to -- the enemy who pivots and shift so what we have seen in the area of security, this gets back to focus, not cyberhi jean isn't good. it is ultimately ineffective more effectively at the margins, no more effective than saying have good best practices for

immortality. maybe i will get a couple more years but it doesn't ultimately end well. what you are seeing here is for the private sector it is the law of diminishing and then negative returns that are happening. the first problem is every dollar being spent on security is not getting the same value is it used to. at the beginning you have certain base layers, getting more dollars and eventually spending one dollar to get a dollar. what we are seeing is that is diminishing returns. will we seeing is negative returned. as we build the best practice, the enemies of overtake that which means our effort to actually increase the problem, we are spending dollars and making the problem worse which is hard for good people to accept. good people and smart people put a lot of effort into something they can't believe it is actually making the problem worse and it would be the same

if for example we have a good way to keep bad people out of this hotel, let's build a 20 foot brick wall because i understand the bad guys can't jump that high so we spend $2 million to build that 20 foot brick wall and it works for a week or two and the bad guy spends $50 and buys a 30 foot ladder and the government acted self on the back for warning us landscape has changed. the bad guy has the 30 foot ladder that conover take your best practice. you know what you need to do now? 40 foot brick wall. you see where this is going. an expense of $3 million for foundational problems and the cost of inflation i am going to be prepared for the government's warning about of a 50 foot ladder that only costs the bad guy $100. what you are seeing on the

constant focus on having the victim spend more on an environment that is dynamic and you can't keep up with it and the dollars we are spending on making the problems worse you would forgive the private sector for wondering how this ends. but missed recognized this issue and when they saw public comment they actually asked for comment about metrics of what success looks like in this environment. they said there is a dearth of metrics of success but that was the problem they're dealing with so for example if i am getting scam, my system is being scanned for intrusion, 1,000 times a minute and i could block 999 of those a minute but one gets through every minute of the day, that completely penetrates my system, exposes everything to confidentiality, integrity and availability harm. is that a successful security

system? your answer to that matters. there is no best practice that will get anywhere near that but it will cost paula and i am completely on leonard's side. we have got to go on the threat roots. we have got to do it better than ever before. legislative proposals have to focus on that and we have to think about what the role of government is and this might be where you are heading but we talked about the fourth amendment and privacy concerns, a very government centric view of this problem but the private sector through its own technology and its own market forces and its own transnational organizations including non-governmental organizations can help define those rules for their own groups. on this system, this environment this is what we consent to. these are the rules of the road and we have to start thinking more about what the government's role is in helping the private

sector, both at a professional and industry levelland non-governmental organizations which already control a lot of governance of the internet, how we include security in that model. not to sound like a broken record but i will keep saying this until we shift our strategies towards threat deterrence and i think we have to explore what the value of government is in figuring out what the powers of the private sector are as part of the elements of national powers that we have all grown to view as government centric, diplomatic, information, military, economic and law-enforcement but the private sector has those capabilities as well, using government institutions whether to better enable them to be civil lawsuits, to better enable them -- into the law-enforcement system. and nation states and rival companies that are benefiting

from stolen intellectual property. >> this informs to that. and new procedures are needed. certain information to other entities. and privacy concerns. none of them transferred authority, power, agencies to private industry and empower them to defend themselves. >> a lot of fun talking about that. google had the same capabilities, that is really cool. i do know you had new nuclear submarines and collections satellites but put that aside for the moment.

don't underestimate your opponents please. don't underestimate your own capabilities to deal with those because they are not bound by our laws. the thing on the metrics point, ceos and c i os have different metrics. and not going to get a sale. the ceo's metric is it will make the company get more money and that is the angle you have to take so we're seeing ceos do this calculation of risk. does your board have a risk committee? most people say yes and the risk committee considers cyberrisks? the answer is global mix and that is one of the metric we can use to see how this is changing. different matter, this is a hard

problem. >> support my colleague here. toss out a concern about the lens that is used, discussing this issue. and other activities of crime, spying but activities that are constant, in reality we are not going to eliminate. it will not disappear from other countries and neither will crime which is dedicated to minimizing that. no one actually says it will be eliminated. they are going to mitigate that threat.

vulnerability mitigation. we won't eliminate vulnerabilities. the one screen i have on that is other areas, we don't drive cars when they explode. that is unacceptable. planes tumble from the skies, unacceptable. they had hard work that is subject to vulnerable to intrusion. we have accepted that as not model. we accept there are updates to our computers. inherently subjective some vulnerabilities. we live in an environment where we are mitigating these problems but to live in a world where we eliminate them. and to mitigate these problems.

>> before we open up to questions, get a little more specific on what the private sector should be able to do and you or anyone else jump in on this, a lot of discussion of active defense of actions the private sector could do, moving outside of the infrastructure to get back, is this part of what you are talking about? private sector role in deterrence and reactions to that specifically. >> playbook for cyberevents, issues are discussed in a way

that is very even-handed. >> i have no financial, and i can say that. of very big compendium. >> i would rather start on the end of that. it would require the paradigm shift. a paradigm shift, that the internet and technology from a security perspective, differentiation, it is not the case, to the government, should be the same computer with the very same protocol, that i could buy in any electronic store. that makes no sense and no

consequences in moving data between top secret, secret and unclassified networks and we heard a couple years ago how the consequence on one occasion, i don't know if world is the right word but multiply infected with malware which not only has an effect on confidentiality but it could have destroyed our information base. the first thing is to try to figure out what the technological solutions are and that is a private sector challenge. and there's an opportunity to come up with hardware, software, differentiate security and privacy models. so many areas need the greatest security. and the least amount of privacy which is interesting, an opportunity for where you could start. when you think of the electorate

power grid, high security environment, very low or nonexistent requirement, if you are operating on the electric power grid you should be known to the biometric level. and focused after that. the first consideration for the internet, and they talk with each other. and the focus was on bandwidth, speed and the focus on the engineering community. and threat deterrence. that is the first level. where can we have better systems that are interoperable, international and promote environment for detection and

attribution. the second would-be, internationally one could very much think all the problems we have coming up with international agreement between governments, starting with cybercrime convention, and between allied countries for law-enforcement purposes, and that doesn't make major players in the space. could be more easily resolved by the private sector in the governance models that would say if you want to operate in this platform with this hardware or these protocols internationally the governance model has private sector emergency readiness teams, search and seizure, data and stabilize the situation in a way to get the detection attribution that can be used for

some penalty on the adversary that did that might be blocking some people out of the system, might be turning it over to the government, may be civil lawsuits, in gauging shame campaigns, whatever the issue is. this notion that the model we are looking towards might not be an agreement between governments fundamentally but an international agreement between similar communities of interest in the private sector. i was often reminded and it bears out that in the private sector when i am speaking with the company they are likely place in excess of 150 countries, if i could bring ten transnational corporations together. and we are looking at non-governmental organizations that are handling domain issues.

we have aaron and its brethren looking at internet protocol, addressable space but you don't have a similar non-governmental organization that has formed and federated for the purposes of security and that is a model we could consider. where does that leave us without a larger strategic vision? the private sector similar to government operating dependent we depending on where they are. we saw an internet security company abroad that broke into a china peer l 8 infrastructure in hong kong, breaking down the path for words and smoking through the infrastructure and publishing that, where all the bad guy. and the prospective about the united states from that vision, the point is you broken to that computer system, destroy and

damage it but that is an unauthorized access and you made it by going through that and commit all sorts of other harms and violating surveillance and statutes. depending on your world view of whether that is the case now or not, the real dialogue has to be whether or not that should be the case and if they lead to positive goods, goals that we want, how you do that in coordination, cooperation or under the guidance of nation states and wall full systems and what comes of those, and i have never been in favor and strongly oppose anything that looks like vigilante is some, getting a pound of flesh for a pound of harm, a pure matter of revenge, but there is a lot that doesn't fall into that category.

when people speak about active defense there is some group that immediately drive towards as a dilatory models and i don't know if they think that is going to happen or just throwing that into the mix to disturb the rest of the conversation in a disingenuous way. but regardless, there are things that can happen right now, possibilities for detection and attribution that are on network and off network, a lot of bad guys are operating on networks that have no protection of passwords, they are pulling information back, keeping it there until they go back and obtain it for further use. i have never heard anyone say there is an open access for that has your information that you can't go and get it back or delete it. to bring down the infrastructure. the area that i think is most right for consideration by a group of lawyers such as this

and from that policy perspective is where does the real world views of self-defense, property, defense of life, have cyberanalyzed, we have in the past seen that areas where something would be traditionally or technically unlawful, when it is done in a necessary and proportionate way is justified under a law and that would be true of someone who steals someone's property running down the street if someone were to say are you able to tackle some become a holding down on the street for 15 minutes you would rightfully get the answer no, that would be assault and battery and kidnapping. 5 put it into context and say they are making off with someone's property, there was no law enforcement presence and the purpose was to get them in place not to harm them and hold them until law enforcement arrives of course that can be done and that

would be justified so lot of the areas of the private sector is considering now is what is the ability to stabilize situations to restrain certain evidence in place with restraint in order to then we engage the government so only as necessary and proportionate, unless the private sector acted would be met with irreparable harm. >> thank you. i want to get to the audience. we have a couple people who want to jump in on this. may be laura first and then jim. >> there are different levels of privacy protection depending what the domain is good to say you have no privacy interest in the electricity you use, and thermal imaging in sight of a home we cannot collect information that indicates how i use in this case of whites for marijuana plants because that is under the fourth amendment. similarly if you are not at home your electricity use would indicate the idea you can figure this out from all that information would be open to

challenge. the fourth amendment protects persons affects, houses, papers, that information, you have to have probable cause and supported by other affirmation described particularly -- >> directly addressed to me. i never suggested that there wasn't a privacy consideration. i was talking about electric power generating grid as having high security for anonymity. i'm talking the actual grid, not smart grid coming into the home. i don't challenge that in any way. >> i will talk really fast. i am not going to talk fast. i have a different experience from most people in the united states. i have been conducting with the permission of the government regular talks with the chinese ministry of state security and the people's liberation army about cybersecurity, participants include u.s. government officials. one of the reasons we worry

about escalation and miscalculation and misinterpretation is the chinese have brought it up. at various times in their remarks they said things like there is no such thing as the private sector. companies are acting at your behest. of course they say that. that is how it works in china. they also said if we show up and ask for fbi cooperation, will you cooperate? if we find someone doing something an american company and bring a case to the fbi will you cooperate? the fbi representative said we would cooperate in investigating and perhaps prosecuting that american company. something to bear in mind. legal framework is changing. the group of government experts in the un put out a report endorsed by the secretary general and the general assembly that says international law applies to cyberspace, national sovereignty applies to cyberspace, the un charter applies to cyberspace, there are

borders in cyberspace. get rid of the old dot.com stuff. states are responsible for actions taken by those presidents in their territory. this is the new international standard. think about how the world will change in the next few years as people move down this path of moving cyberspace from being this dot.com vision to another extension of the national framework for international relations and national security that we have now. >> great. okay. why don't we see if we have any questions. anybody? okay. back there? harvey? >> university of north carolina law. trying to combine some of the points that were made around the

presidential directive, the points, the band-aid being in sufficient and i would think would be addressed in large part by the president's actions, top-secret but available on the guardian website as revealed in july that authorized offensive and defensive end even defensive in a mode of deterrence but offensive cyberand defect operations and the headlines ran with there being a target list associated with this revelation that the president authorized. i don't know if there is constitutional or congressional issues by the president alone but regardless, that is what seemed to be exactly to the point of there being a failure of deterrence by the government so if is not is that because maybe this gets into the issues of i don't understand what is happening on my computer because terms are very aebtract but sounds like offensive

cyberdefect operation target list isn't the government doing something to directly deters and if not why not? is there something about the mechanics that don't equate to actual deterrence? >> can i tried at first? the debate has been caught up to the larger international debate. >> i think it is. >> i am sorry. i take it all back. discussion in the u.s. hasn't caught up to where the integerational discussion is an in part that is because it is normal diplomatic stuff, it is classified and it would be useful if the state department was a litrecte more transparent. i think they are trying but the issues you raise deal directly to how beginning to interpret the laws of armed conflict as they apply to cyberspace and the first is can we define what an

actual attack is? yes we can and is consistent with the definitions we have and grows out of the estonian experience and others. there has to be violence, there has to be damaged, there has 3 casualties or death. there are areas of ambiguity that there's a general sense this is an attack that would justify a military response and the desire to see this carried out and the provisions of the un charter and applying to self-defense. most of what we see in cyberspace does not qualify as an attack. we call that an aat aack in the press but from the perspective of the international community is not an attack. there for a military response is not justified. we have tremendous military capabilities but they are not going to deter crime risk. they didn't deter crime risk in the cold war. why are we surprised now? >> if i could pull the threat on that, the question about cyberoffensive capabilities, the

nation's states ability regardless of what the incoming threat is. cyberoffensive effect could be against the bombing. not necessarily symmetric to a cyberthreat. when i talk about threats beterrence although that could be one piece with limited potential liity circumstances, part of a greater mix of military power that we might have i try to put that in the wider context of all of the elements of national power so that is part of it but you still have diplomatic, economic, law enforcement private sector capabilities that combined really should have a deterrent defect so it is one small aspet to answer your question and one that is liity for our views.

>> harvey? we have a microphone? >> thank you for wonderful panel. as you know on groundhog day, bill murray becomes a better person and he gets the girl so there's a good ending. last night, too bad more people, melissa hathaway gave a presentation about her perspective of where we are. and the george bush administration. and core authors of the cybersecurity initiative. and one of the things we talked about enacted for many of us.

and taken aback by the lack of international strategy, and it is intriguing for what you guys think of the group because he raised the issue, you raise the quiet negotiations jim has been involved with but what do you see as the best model for an international set of standards that we should be heading 4 as part of the information sharing because portion 25, acting all over the world, a whole range of information sharing issues, curious to see the brain power on the panel. and look at the cybera playbook and many issues you raise are discussed for the committee. thanks. >> i am ultimately very positive about this. remember keith alexander is an army general so when he wakes up the recites the army creed and

the key line is i will never accept defeat sell or will never quit. toothpaste dribbles on his chin because he is pressing his teeth when he is saying that but we are going to win this one but it will take a long time. if we are making progress will be on the diplomatic side. the terrain is changing. and political, the u.s. experience range of setbacks and we do have a diplomatic strategy. it is not necessarily entirely public but it is available at the white house website. >> what is happening, steve touched on this, i have been trying to remember why we did this. i worked on these issues in the clinton white house and we split them. we have a secure network group and ecommerce working group and i was one of the two crossover people. why did we split them?

who knows? they have come back to get there so you now see the shoes of cybersecurity and internet governance, overlapping considerably and as part of that you have control over content issues and the issue of data flows and not helped by the ed snowden revelations so every country has the same reaction. you will storm my data in another country? no way. it has got to be here. most countries that is their opening position. that is the debate we are having now. we are in a period of transition, moving to a world where cyberspace will be treated like every other space, physical landor the seas, how you manage that transition so the we don't lose key values and yet we can have a more stable and secure environment will be more difficult so we have a strategy.

you can say it is not public enough that there are larger political influences buffeting to make it more difficult to achieve. >> laura and then leonard. >> my only point is in light of recent revelations, regarding encryption, standards setting, high level of cynicism overseas, not just a brazilian visit that is canceled, there is very serious opposition to what the united states has done overseas. in the summer it was remarkable the extent to which the anger toward the united states and we can often forget that domestically but these revelations have been a significant setback to our diplomatic efforts abroad. it is too early to see how that will pan out. if it will pan out that the united states is able to lead from behind or regain a leadership position, we will see significant fallout internationally for some time to

come. >> brief point. are am an optimist. time is on our side. development of international norms will follow from the proliferation of the technology so in 1996 when they started to negotiate it was among countries that had a certain amount of technological gain already. i think what we are seeing with proliferation everywhere is some of the norms that have driven the other international advancements will become more possible, when someone brings up letters of marque in this context, there are certain types of international attitudes towards attacking, and the intruding of networks that likely will gain a purchase and make it easier. and create international doctrine. >> any other questions?

over here. >> i am from the office of army general counsel and listening to what steven is saying and i agree with you about how probably no longer suffices for government to expel kate best practices and constantly changing fred environment but laura made an excellent point about the cyberdistrust between industry and government and i would add a third quarter to that, the masses, the popular push back shows that there's a time for cyberdistressed so even before we get our international cyber grand strategies in line as melissa was talking about do you have any ideas going forward

how to get these disparate repositioned stakeholders on the same page? that to me seems critical before we can get everything else going. >> i don't like talking some much. first of all, they are not the same. privacy community tried to consolidate them. i talked to one republican chairman who said he had gotten more letters on sopaula than any other issue. it stands for stop online privacy act. it was an act that would have diverted people to a site and says stop, you are violating

federal law. it messed with -- a bad idea. sis sispais very different. this is how things work in a democracy because we are in a politically difficult situation. it is moving more slowly but i think we will bring people around. when you talk on the hill five years ago we had this experience, they really would say get out of mild way, wire you bothering me with this cyber stuff, now they get it. we are on a path to fix these things. you will have significant objections and one of the things we are not dealing with, ed snowden episode is not accidental. it is planned. and on state actor engaging in information warfare against the u.s.. we have a new kind of opponent and a new kind of conflict and

we are not doing well in dealing with it right now. these are things we have to overcome but i am positive we can overcome them. >> part of your question related to developing levels of trust and credibility between the players in terms of privacy, there are some models to proceed and i have a personal or unique perspective on this. i was appointed by the president in april of 2003 to be the first officer for civil rights and civil liberties that the department of homeland security. in with a first. this never happened in government where the physician never existed in any government agency before. on the same day, secretary appointed chief privacy officer. we headed out together, this concerted world to figure out what to make of it and we developed some traction to

figure out how to get through the policy world and develop some traction. i left the department of homeland security and came back in the last few months and i have been released rock by the structure of privacy that has been built in. i walked past a cubicle three times the day, so and so, privacy officer. the privacy impact assessment, the idea of having a privacy impact assessment in your organization sets the privacy impact of your program, was for an to is in april of 2003. my colleague introduced this idea for the first time and if you look at our website, we have probably a dozen private impact assessments on cyberrelated programs and we fought on the einstein program itself. these folks do training, cyber specific privacy training, our

reach, advisory councils. i think my point is i am optimistic there are models we can build upon in the of privacy and civil liberties arena that could establish levels of confidence. we need to adopt those across government and a lot of private entities to have that kind of and better appreciation for these issues but there are ways to proceed. >> everybody on the panel, leonard and laura have something to contribute. >> this comes back to the point i made about information and people understanding technology. i like to proselytize on that issue of i can because i do believe that the private sector is not going to get in front of the public on this. they have business concerns that will drive them back from the leading edge of doing certain things. one of the frustrations we face

working closely with our colleagues several years ago, people were very concerned there would be systems that would be filled during their e-mails, trying to find malicious code or things that shouldn't be there and we spent a lot of time asking people do you have an e-mail account? that spam is not getting to you? how do you think it is not getting to you? there was a lack of appreciation of very technologies we were talking about, things that were broadly implementing them private sector and used as a baseline common-sense security measures but there is a lack of appreciation for that. i do think part of it is trying to develop a more tech savvy world where people understand the way information is normally protected, things we normally as a matter of course have to do to protect information and why it is different parts of this whole

enterprise of cybersecurity. >> this gives me an opportunity to end on a happy note. despite certain pitfalls you will see here and there over time the government and private sector are working remarkably well together every day. even some of the players that you mentioned daily are working with law-enforcement, with the government. those might not make the headlines but they are happening all the time. the fbi program started in 1996, has 55,000 people, meeting for about the country every day building of the type of trust that is historic, doesn't change based on an event here or there, a secret service, electronic crimes task force working with the defense industrial base together with nsa information assurance director, it goes on and on. my main point is a private sector and government are

working well together. we have to align for the right goals but i don't see a problem in that regard. >> i want to respond to dan's point. there is a real danger here by checking the box we address the underlying concern and i'm thinking of privacy. we have privacy and civil liberty board with no subpoena authority, no money and no teeth. the idea that we have one great, but what can it do? we have exceptions for national security that are routinely used with regard to the biometric program and the privacy act which is almost 40 years old and no longer does what it set out to do. we have exceptions for national security that are routinely used to design even request for legal reasoning why someone has engage in certain activity. we have seen with judge reggie walton's release in august of

this year that actually you can release legal reasoning without providing too much information about the underlying tissues and a secret court secretly carved out an exception to the fourth amendment, the supreme court itself has never recognized so when you say we are doing a lot on privacy is hard not to be too cynical about that when you see this underlying deficit. this is back to the point of your question which is there is a problem when you have a population of you are trying to get by from them there's a certain amount of cynicism and concern about the level to which democratic governance can continue if you don't know what is happening in your name and what your elected representatives are doing. >> we have two minutes left. so if somebody has an easy question? >> the questions are always easy. it is the answers. >> i hope it is an easy question. it may not be an answer yet and

that is how the liability issue that was mentioned with regard to the new framework may play out and i wanted to ask about the broad community, many of whom see themselves as security researchers, who report zero days when they find vulnerabilities. i would like to know what the panel thinks of that community. is there a place for a crowd sourcing of vulnerability is? what do you think? >> who wants to jump in on that? >> take the financial sector as an example. there are 20 different laws that relate to customers information region terms of liability they are the most obvious, you have 1999 fair credit reporting act, the electronic funds transfer act, write to financial privacy act which protect information against government access,

consumer protection act, all sorts of ways in which liability is encouraged and the bickering statutory regime that will have to be addressed in some sort of long-term comprehensive cybersecurity package. >> on the second portion i will give you normative answer. descriptively those people, fraud and abuse, does not have a provision for self-help or doing it to help everyone else. nothing is recognized under the law to assist those people by having their acts rendered lawful. normative lee, i personally think there are concerns about opening up the landscape is a different parties determine themselves what move they can take, what data they can retrieve, what costs they can

impose on others when information is taken from their networks, in part because there is great variation in this but anyone who suggests to use at conducting an intrusion, on a network you are unfamiliar with his simple and without risk, probably selling you something. there are great risks to doing that and the question is if we build that into the law are we creating a more or less resilience, secure cyberspace? this open door to the left stable. >> jim says he has -- >> a tiny one. the cost of buying these sorts of vulnerabilities, the guys to do this tell me the price has gone up for a new one and now 100 k, more competition. the people who complain most are

researchers in china. they say you a note to the state to give it to us for free, discounts and other chinese guys moving to singapore. interesting market here. liability, it will become easier. we are collecting more data. think of where we were. we know so much more than we did five years ago and getting to the point. and here are things you could have done to reduce risk. why weren't you doing them? when that happens you will start to see legal action. >> i hope everyone will join me in thanking this terrific panel. [applause] >> thank you. administrative announcement if you would clear the room comes as you did yesterday you could leave your personal belongings

on your seat and we will be back 45 minutes. [inaudible conversations] .. that would get me the best biologist. look at the nasa portfolio today. it's got bio